Document 323295

Glenn K. Bard
Public Agency Training Council tech
Chief Technical Officer
PA State Trooper – Retired
NCMEC – Project ALERT
CISSP, EnCE, CFCE, CHFI, A+, Network+,
Security+, ACE, AME
2
#ISC2Congress
PATCtech
Glenn Bard, CTO
Scott Lucas, Instructor and Examiner
Steve Dempsey, Instructor
Brian Sprinkle, Case Manager and Software consultant
James Alsup, Director - PATC
3
#ISC2Congress
App Analysis
» Now onto the Apps
• For starters, What are Mobile Applications?
• A mobile application (or mobile app) is a software
application designed to run on smartphones, tablet
computers and other mobile devices. They are usually
available through application distribution platforms, which
are typically operated by the owner of the mobile
operating system, such as the Apple App Store, Google
Play, Windows Phone Store, and BlackBerry App World.
•
Source: Wikipedia
4
#ISC2Congress
App Analysis
» How many people use apps?
• According to ABI, it is predicted there will be 56 Billion apps
downloaded……….. In 2013 alone.
• ABI also estimates that app downloads will generate 25
Billion dollars………. In 2013 alone.
» Clearly apps can contain the evidence we need to
prove our cases.
» And the data criminals want to steal.
5
#ISC2Congress
App Analysis
» What kind of apps can be important?
• Messaging apps: KIK, Kakao, Textie, TextMe, TextPlus,
ooVoo, Skype, Yahoo! IM, and so on.
• Social Networking: Facebook, Instagram, Twitter,
FourSquare.
• Cloud Storage: Dropbox, CloudOn, Evernote
• GPS: TeleNav, Google Maps, Mapquest
• Vaults: Private Phone Vault, NQ Vault, Hide Photos
• Picture sharing: SnapChat, Wickr, Blink
• Travel: Kayak, Delta, United
6
#ISC2Congress
App Analysis
» How are we going to get the data out of these
apps?
• The apps are going to contain certain types of files
depending on the OS.
– Apple: DB, SQL, SQLite, and Plist
– Android: DB, SQL, SQLite and XML
7
#ISC2Congress
App Analysis
» Where are we going to find these files?
• Most common place, the device.
• But also:
– Backups
– SD Card
8
#ISC2Congress
App Analysis
» And there are some easy locations to remember to
find it:
First up: iOS
Private / var / Mobile
And this location you will find subfolders, the two we
are going to focus on:
Applications: Third part apps
Library: iOS installed apps
9
#ISC2Congress
App Analysis
10
#ISC2Congress
Applications
Library
11
#ISC2Congress
App Analysis
» And on Android, one of the main locations:
• Data / Data
• Then in that location many apps.
• Under each app pay attention to:
– Shared Prefs
– Databases
» Note: All of the “flavors” of Android are different,
and this is just a guideline, not a steadfast rule.
12
#ISC2Congress
App Analysis
13
#ISC2Congress
App Analysis
14
#ISC2Congress
Shared Prefs
Databases
15
#ISC2Congress
App Analysis
» What tools are we going to need?
• Free:
–
–
–
–
Mozilla FireFox with the add on SQLite Manager
Plist Editor
Notepad
DCode
• Pay:
– Oxygen Forensic Suite has an amazing SQLite Database and
Plist viewer. (The one we are using today.)
– Many other forensic tools such as MPE, Device Seizure,
SecureView , Mobiledit, Lantern, UFED and so on.
16
#ISC2Congress
App Analysis
» What kind of things can we find?
•
•
•
•
•
Locations
Voicemails
“Form Data”
Passwords
And so much more.
» Now let’s do it on a real phone:
17
#ISC2Congress
App Analysis
»
»
»
»
»
»
Glenn K. Bard
[email protected]
Cell: 724-289-0699
Office: 800-365-0119
Website: PATCtech.com
Twitter.com/PATCtech
» https://www.facebook.com/pages/PATCTech/116471378378526
18
#ISC2Congress
`